The increasing sensitivity of information and the growing importance of application functionality "require that we give as much thought to identity proofing as subsequent access control," Taule says.
Data Supply Chain Threats
Data supply chain breaches are an emerging threat, says Timothy Ryan, managing director of Kroll Advisory Solutions' Cyber Investigations practice and former supervisory special agent with the Federal Bureau of Investigation.
"What we've seen this past year is that many companies are not fully aware of all the different parties that are handling or processing their data," Ryan says. "Some companies have outsourced some portion of data processing to a subcontractor, only to find out that the vendor did not have adequate security measures in place, or that they did not know how to handle an incident, or that the company did not notify them right away when there was an issue."
In multi-tenant environments, system administrators can sometimes cut corners, says Wendy Nather, research director, security at 451 Research.
"They may use the same privileged account passwords for each of their tenants, and they may insist on broad network access that an enterprise wouldn't normally allow to anyone else on the Internet," Nather says. "In this way, the third party becomes a jumping-off point for an attacker who wants to get to a particular enterprise."
Unauthorized Access by Former Employees
Unauthorized network access, especially by former employees, continues to be a security issue for many companies, Ryan says.
"What we're finding is that some companies do not fully sever all the access that former employees were provided," Ryan says. His firm is often called in prior to the termination of an employee to make sure the company effectively terminates access for that individual.
"There have also been incidents where we are called in to investigate an employee whose access was not terminated properly and help assess what has been stolen and how to remediate the issue," Ryan says.
The reason why these employees might be accessing this information varies, Ryan notes. At times, it could be to steal intellectual property--such as a source code--that the individual might be interested in selling or using personally. "Or they may be accessing a network to try and secure information about pending litigation," he says. "They may be the subject of a lawsuit and trying to gather information about their termination or related issues."
Embedded Systems Vulnerabilities
Many non-traditional devices are increasingly on networks these days, Taule says, including Internet-enabled cameras, digital video recorders, badge readers and other non-PC devices with an IP address.
"And for those of you who think the Internet of Things--or 'Internet of Vulnerabilities' as I recently heard a colleague quip--is still years off, just ask a peer who works in a hospital and has to deal with untold numbers of network enabled/connected medical devices," Taule says.
Sign up for CIO Asia eNewsletters.